(ITS#8555) slapo-pcache forgets credentials for binddn - openldap-bugs

28 Dec 2016

Full_Name: Quanah Gibson-Mount
Version: 2.4.44
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.26)
When slapo-pcache is set up to use the user credentials for binding, the first
bind will succeed accordingly, but subsequent binds will fall back to anonymous,
as slapd logs that the credentials are not found:
58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni
association,ou=people,dc=example,dc=com" without creds, binding
anonymouslyldap_sasl_bind
This is trivial to reproduce by making a slight modification to
test020-proxycache:
index f4e5cb7..105b911 100755

--- a/tests/scripts/test020-proxycache
+++ b/tests/scripts/test020-proxycache
@@ -645,6 +645,22 @@ if test $RC != 4 ; then
        test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
        exit 1
 fi
+
+CNT=`expr $CNT + 1`
+FILTER="(sn=Jon)"
+ATTRS="cn mail telephonenumber"
+echo "Query $CNT: (Result should not be cached)"
+echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
+       -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT
+RC=$?
+
+if test $RC != 0 ; then
+       echo "ldapsearch failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
The error test case isn't useful here, but slapd.2.log can be examined to see
the behavior.
It appears that there's a problem with this block of code in back-ldap/bind.c,
that starts at line 2489 in RE24:
if ( rc == LDAP_SUCCESS ) {
                /* set rebind stuff in case of successful proxyAuthz bind,
                 * so that referral chasing is attempted using the right
                 * identity */
                LDAP_BACK_CONN_ISBOUND_SET( lc );
                if ( !BER_BVISNULL( binddn ) ) {
                        ber_bvreplace( &lc->lc_bound_ndn, binddn );
                }
if ( !BER_BVISNULL( &lc->lc_cred ) ) {
                        memset( lc->lc_cred.bv_val, 0,
                                        lc->lc_cred.bv_len );
                }
if ( LDAP_BACK_SAVECRED( li ) ) {
                        if ( !BER_BVISNULL( bindcred ) ) {
                                ber_bvreplace( &lc->lc_cred, bindcred );
                                ldap_set_rebind_proc( lc->lc_ld,
li->li_rebind%2, lc );
                        }
} else {
                        lc->lc_cred.bv_len = 0;
                }
        }

    